Modify rule S5496: Add an how to fix session for Java and Groovy (APPSEC-1587) (#3900)

docs/header_names/allowed_framework_names.adoc

@@ -24,31 +24,32 @@
 * Xerces
 * libxml2
 // Java
+* Android
 * Apache Commons
+* Apache Commons
+* Apache Commons Email
+* Apache HttpClient
+* Auth0 JWT
+* Commons Compiler
+* Dom4j
+* FasterXML
+* Groovy
+* Gson
+* Hibernate
+* Java Cryptography Extension
+* Java EE
+* Java JWT
+* Java SE
+* Jdom2
 * JSP
+* Legacy Mongo Java API
+* OkHttp
+* Realm
 * Servlet
 * Spring
 * Spring Data Redis
-* Thymeleaf
-* Java SE
-* Java EE
-* Hibernate
-* Apache Commons
-* Commons Compiler
-* Legacy Mongo Java API
-* FasterXML
-* Gson
-* Android
-* Dom4j
-* Jdom2
-* OkHttp
-* Java JWT
-* Auth0 JWT
-* Apache Commons Email
 * SQLCipher
-* Realm
+* Thymeleaf
-* Java Cryptography Extension
-* Apache HttpClient
 // JS
 * Flow.js
 * Node.js

rules/S5496/java/how-to-fix-it/groovy.adoc

@@ -0,0 +1,47 @@
+== How to fix it in Groovy
+
+=== Code examples
+
+==== Noncompliant code example
+
+The following code example is vulnerable to a Server-Side Template Injection
+attack because it builds a template string from a user input without control or
+sanitation.
+
+[source,java,diff-id=21,diff-type=noncompliant]
+----
+@GetMapping("/example")
+public String example(@RequestParam("title") String title) throws CompilationFailedException, ClassNotFoundException, IOException {
+    String templateString = "h1('" + title + "')";
+    TemplateConfiguration config = new TemplateConfiguration();         
+    MarkupTemplateEngine engine = new MarkupTemplateEngine(config);     
+    Template template = engine.createTemplate(templateString); // Noncompliant
+    Writable out = template.make();
+    return out.toString();
+}
+----
+
+==== Compliant solution
+
+[source,java,diff-id=21,diff-type=compliant]
+----
+@GetMapping("/example")
+public String example(@RequestParam("title") String title) throws CompilationFailedException, ClassNotFoundException, IOException {
+    String templateString = "h1(title)";
+
+    Map<String, Object> ctx = new HashMap<>();
+    ctx.put("title", title);
+
+    TemplateConfiguration config = new TemplateConfiguration();         
+    MarkupTemplateEngine engine = new MarkupTemplateEngine(config);     
+    Template template = engine.createTemplate(templateString);
+    Writable out = template.make(ctx);
+    return out.toString();
+}
+----
+
+=== How does this work?
+
+The compliant code example uses a template binding to pass user information to
+the template. The rendering engine then ensures that this tainted data is
+processed in a way that will not change the template semantics.

rules/S5496/java/rule.adoc

@@ -8,6 +8,8 @@ include::../impact.adoc[]
 
 include::how-to-fix-it/spring.adoc[]
 
+include::how-to-fix-it/groovy.adoc[]
+
 
 == Resources